1e0c4386eSCy Schubert#! /usr/bin/env perl 2*e7be843bSPierre Pronchery# Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. 3e0c4386eSCy Schubert# 4e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8e0c4386eSCy Schubert 9e0c4386eSCy Schubertuse strict; 10e0c4386eSCy Schubertuse warnings; 11e0c4386eSCy Schubert 12e0c4386eSCy Schubertuse File::Spec::Functions qw(:DEFAULT abs2rel); 13e0c4386eSCy Schubertuse File::Copy; 14e0c4386eSCy Schubertuse OpenSSL::Glob; 15e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; 16e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 17e0c4386eSCy Schubert 18e0c4386eSCy SchubertBEGIN { 19e0c4386eSCy Schubert setup("test_fipsinstall"); 20e0c4386eSCy Schubert} 21e0c4386eSCy Schubertuse lib srctop_dir('Configurations'); 22e0c4386eSCy Schubertuse lib bldtop_dir('.'); 23e0c4386eSCy Schubertuse platform; 24e0c4386eSCy Schubert 25e0c4386eSCy Schubertplan skip_all => "Test only supported in a fips build" if disabled("fips"); 26e0c4386eSCy Schubert 27*e7be843bSPierre Pronchery# Compatible options for pedantic FIPS compliance 28*e7be843bSPierre Proncherymy @pedantic_okay = 29*e7be843bSPierre Pronchery ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload', 30*e7be843bSPierre Pronchery 'signature_digest_check' 31*e7be843bSPierre Pronchery ); 32*e7be843bSPierre Pronchery 33*e7be843bSPierre Pronchery# Incompatible options for pedantic FIPS compliance 34*e7be843bSPierre Proncherymy @pedantic_fail = 35*e7be843bSPierre Pronchery ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall', 36*e7be843bSPierre Pronchery 'no_pbkdf2_lower_bound_check' ); 37*e7be843bSPierre Pronchery 38*e7be843bSPierre Pronchery# Command line options 39*e7be843bSPierre Proncherymy @commandline = 40*e7be843bSPierre Pronchery ( 41*e7be843bSPierre Pronchery ( 'ems_check', 'tls1-prf-ems-check' ), 42*e7be843bSPierre Pronchery ( 'no_short_mac', 'no-short-mac' ), 43*e7be843bSPierre Pronchery ( 'no_drbg_truncated_digests', 'drbg-no-trunc-md' ), 44*e7be843bSPierre Pronchery ( 'signature_digest_check', 'signature-digest-check' ), 45*e7be843bSPierre Pronchery ( 'hkdf_digest_check', 'hkdf-digest-check' ), 46*e7be843bSPierre Pronchery ( 'tls13_kdf_digest_check', 'tls13-kdf-digest-check' ), 47*e7be843bSPierre Pronchery ( 'tls1_prf_digest_check', 'tls1-prf-digest-check' ), 48*e7be843bSPierre Pronchery ( 'sshkdf_digest_check', 'sshkdf-digest-check' ), 49*e7be843bSPierre Pronchery ( 'sskdf_digest_check', 'sskdf-digest-check' ), 50*e7be843bSPierre Pronchery ( 'x963kdf_digest_check', 'x963kdf-digest-check' ), 51*e7be843bSPierre Pronchery ( 'dsa_sign_disabled', 'dsa-sign-disabled' ), 52*e7be843bSPierre Pronchery ( 'tdes_encrypt_disabled', 'tdes-encrypt-disabled' ), 53*e7be843bSPierre Pronchery ( 'rsa_pkcs15_pad_disabled', 'rsa-pkcs15-pad-disabled' ), 54*e7be843bSPierre Pronchery ( 'rsa_pss_saltlen_check', 'rsa-pss-saltlen-check' ), 55*e7be843bSPierre Pronchery ( 'rsa_sign_x931_disabled', 'rsa-sign-x931-pad-disabled' ), 56*e7be843bSPierre Pronchery ( 'hkdf_key_check', 'hkdf-key-check' ), 57*e7be843bSPierre Pronchery ( 'kbkdf_key_check', 'kbkdf-key-check' ), 58*e7be843bSPierre Pronchery ( 'tls13_kdf_key_check', 'tls13-kdf-key-check' ), 59*e7be843bSPierre Pronchery ( 'tls1_prf_key_check', 'tls1-prf-key-check' ), 60*e7be843bSPierre Pronchery ( 'sshkdf_key_check', 'sshkdf-key-check' ), 61*e7be843bSPierre Pronchery ( 'sskdf_key_check', 'sskdf-key-check' ), 62*e7be843bSPierre Pronchery ( 'x963kdf_key_check', 'x963kdf-key-check' ), 63*e7be843bSPierre Pronchery ( 'x942kdf_key_check', 'x942kdf-key-check' ) 64*e7be843bSPierre Pronchery ); 65*e7be843bSPierre Pronchery 66*e7be843bSPierre Proncheryplan tests => 40 + (scalar @pedantic_okay) + (scalar @pedantic_fail) 67*e7be843bSPierre Pronchery + 4 * (scalar @commandline); 68e0c4386eSCy Schubert 69e0c4386eSCy Schubertmy $infile = bldtop_file('providers', platform->dso('fips')); 70e0c4386eSCy Schubertmy $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00'; 71e0c4386eSCy Schubertmy $provconf = srctop_file("test", "fips-and-base.cnf"); 72e0c4386eSCy Schubert 73e0c4386eSCy Schubert# Read in a text $infile and replace the regular expression in $srch with the 74e0c4386eSCy Schubert# value in $repl and output to a new file $outfile. 75e0c4386eSCy Schubertsub replace_line_file_internal { 76e0c4386eSCy Schubert 77e0c4386eSCy Schubert my ($infile, $srch, $repl, $outfile) = @_; 78e0c4386eSCy Schubert my $msg; 79e0c4386eSCy Schubert 80e0c4386eSCy Schubert open(my $in, "<", $infile) or return 0; 81e0c4386eSCy Schubert read($in, $msg, 1024); 82e0c4386eSCy Schubert close $in; 83e0c4386eSCy Schubert 84e0c4386eSCy Schubert $msg =~ s/$srch/$repl/; 85e0c4386eSCy Schubert 86e0c4386eSCy Schubert open(my $fh, ">", $outfile) or return 0; 87e0c4386eSCy Schubert print $fh $msg; 88e0c4386eSCy Schubert close $fh; 89e0c4386eSCy Schubert return 1; 90e0c4386eSCy Schubert} 91e0c4386eSCy Schubert 92e0c4386eSCy Schubert# Read in the text input file 'fips.cnf' 93e0c4386eSCy Schubert# and replace a single Key = Value line with a new value in $value. 94e0c4386eSCy Schubert# OR remove the Key = Value line if the passed in $value is empty. 95e0c4386eSCy Schubert# and then output a new file $outfile. 96e0c4386eSCy Schubert# $key is the Key to find 97e0c4386eSCy Schubertsub replace_line_file { 98e0c4386eSCy Schubert my ($key, $value, $outfile) = @_; 99e0c4386eSCy Schubert 100e0c4386eSCy Schubert my $srch = qr/$key\s*=\s*\S*\n/; 101e0c4386eSCy Schubert my $rep; 102e0c4386eSCy Schubert if ($value eq "") { 103e0c4386eSCy Schubert $rep = ""; 104e0c4386eSCy Schubert } else { 105e0c4386eSCy Schubert $rep = "$key = $value\n"; 106e0c4386eSCy Schubert } 107e0c4386eSCy Schubert return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile); 108e0c4386eSCy Schubert} 109e0c4386eSCy Schubert 110e0c4386eSCy Schubert# Read in the text input file 'test/fips.cnf' 111e0c4386eSCy Schubert# and replace the .cnf file used in 112e0c4386eSCy Schubert# .include fipsmodule.cnf with a new value in $value. 113e0c4386eSCy Schubert# and then output a new file $outfile. 114e0c4386eSCy Schubert# $key is the Key to find 115e0c4386eSCy Schubertsub replace_parent_line_file { 116e0c4386eSCy Schubert my ($value, $outfile) = @_; 117e0c4386eSCy Schubert my $srch = qr/fipsmodule.cnf/; 118e0c4386eSCy Schubert my $rep = "$value"; 119e0c4386eSCy Schubert return replace_line_file_internal(srctop_file("test", 'fips.cnf'), 120e0c4386eSCy Schubert $srch, $rep, $outfile); 121e0c4386eSCy Schubert} 122e0c4386eSCy Schubert 123*e7be843bSPierre Pronchery# Check if the specified pattern occurs in the given file 124*e7be843bSPierre Pronchery# Returns 1 if the pattern is found and 0 if not 125*e7be843bSPierre Proncherysub find_line_file { 126*e7be843bSPierre Pronchery my ($key, $file) = @_; 127*e7be843bSPierre Pronchery 128*e7be843bSPierre Pronchery open(my $in, $file) or return -1; 129*e7be843bSPierre Pronchery while (my $line = <$in>) { 130*e7be843bSPierre Pronchery if ($line =~ /$key/) { 131*e7be843bSPierre Pronchery close($in); 132*e7be843bSPierre Pronchery return 1; 133*e7be843bSPierre Pronchery } 134*e7be843bSPierre Pronchery } 135*e7be843bSPierre Pronchery close($in); 136*e7be843bSPierre Pronchery return 0; 137*e7be843bSPierre Pronchery} 138*e7be843bSPierre Pronchery 139e0c4386eSCy Schubert# fail if no module name 140e0c4386eSCy Schubertok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', 141e0c4386eSCy Schubert '-provider_name', 'fips', 142e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 143e0c4386eSCy Schubert '-section_name', 'fips_sect'])), 144e0c4386eSCy Schubert "fipsinstall fail"); 145e0c4386eSCy Schubert 146e0c4386eSCy Schubert# fail to verify if the configuration file is missing 147e0c4386eSCy Schubertok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, 148e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 149e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 150e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 151e0c4386eSCy Schubert "fipsinstall verify fail"); 152e0c4386eSCy Schubert 153e0c4386eSCy Schubert# output a fips.cnf file containing mac data 154e0c4386eSCy Schubertok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 155e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 156e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 157e0c4386eSCy Schubert '-section_name', 'fips_sect'])), 158e0c4386eSCy Schubert "fipsinstall"); 159e0c4386eSCy Schubert 160e0c4386eSCy Schubert# verify the fips.cnf file 161e0c4386eSCy Schubertok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, 162e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 163e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 164e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 165e0c4386eSCy Schubert "fipsinstall verify"); 166e0c4386eSCy Schubert 167*e7be843bSPierre Pronchery# Test that default options for fipsinstall output the 'install-status' for 168*e7be843bSPierre Pronchery# FIPS 140-2 providers. 169*e7be843bSPierre ProncherySKIP: { 170*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), 171*e7be843bSPierre Pronchery capture => 1, statusvar => \my $exit); 172*e7be843bSPierre Pronchery 173*e7be843bSPierre Pronchery skip "Skipping FIPS 140-3 provider", 2 174*e7be843bSPierre Pronchery if !$exit; 175*e7be843bSPierre Pronchery 176*e7be843bSPierre Pronchery ok(find_line_file('install-mac = ', 'fips.cnf') == 1, 177*e7be843bSPierre Pronchery 'FIPS 140-2 should output install-mac'); 178*e7be843bSPierre Pronchery 179*e7be843bSPierre Pronchery ok(find_line_file('install-status = INSTALL_SELF_TEST_KATS_RUN', 180*e7be843bSPierre Pronchery 'fips.cnf') == 1, 181*e7be843bSPierre Pronchery 'FIPS 140-2 should output install-status'); 182*e7be843bSPierre Pronchery} 183*e7be843bSPierre Pronchery 184*e7be843bSPierre Pronchery# Skip Tests if POST is disabled 185*e7be843bSPierre ProncherySKIP: { 186*e7be843bSPierre Pronchery skip "Skipping POST checks", 13 187*e7be843bSPierre Pronchery if disabled("fips-post"); 188*e7be843bSPierre Pronchery 189e0c4386eSCy Schubert ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf') 190e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 191e0c4386eSCy Schubert '-in', 'fips_no_module_mac.cnf', 192e0c4386eSCy Schubert '-module', $infile, 193e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 194e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 195e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 196e0c4386eSCy Schubert "fipsinstall verify fail no module mac"); 197e0c4386eSCy Schubert 198e0c4386eSCy Schubert ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf') 199e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 200e0c4386eSCy Schubert '-in', 'fips_no_install_mac.cnf', 201e0c4386eSCy Schubert '-module', $infile, 202e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 203e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 204e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 205e0c4386eSCy Schubert "fipsinstall verify fail no install indicator mac"); 206e0c4386eSCy Schubert 207e0c4386eSCy Schubert ok(replace_line_file('module-mac', '00:00:00:00:00:00', 208e0c4386eSCy Schubert 'fips_bad_module_mac.cnf') 209e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 210e0c4386eSCy Schubert '-in', 'fips_bad_module_mac.cnf', 211e0c4386eSCy Schubert '-module', $infile, 212e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 213e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 214e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 215e0c4386eSCy Schubert "fipsinstall verify fail if invalid module integrity value"); 216e0c4386eSCy Schubert 217e0c4386eSCy Schubert ok(replace_line_file('install-mac', '00:00:00:00:00:00', 218e0c4386eSCy Schubert 'fips_bad_install_mac.cnf') 219e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 220e0c4386eSCy Schubert '-in', 'fips_bad_install_mac.cnf', 221e0c4386eSCy Schubert '-module', $infile, 222e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 223e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 224e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 225e0c4386eSCy Schubert "fipsinstall verify fail if invalid install indicator integrity value"); 226e0c4386eSCy Schubert 227e0c4386eSCy Schubert ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING', 228e0c4386eSCy Schubert 'fips_bad_indicator.cnf') 229e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 230e0c4386eSCy Schubert '-in', 'fips_bad_indicator.cnf', 231e0c4386eSCy Schubert '-module', $infile, 232e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 233e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 234e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 235e0c4386eSCy Schubert "fipsinstall verify fail if invalid install indicator status"); 236e0c4386eSCy Schubert 237e0c4386eSCy Schubert # fail to verify the fips.cnf file if a different key is used 238*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', 239*e7be843bSPierre Pronchery '-module', $infile, 240e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 241e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", 242e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 243e0c4386eSCy Schubert "fipsinstall verify fail bad key"); 244e0c4386eSCy Schubert 245e0c4386eSCy Schubert # fail to verify the fips.cnf file if a different mac digest is used 246*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', 247*e7be843bSPierre Pronchery '-module', $infile, 248e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 249e0c4386eSCy Schubert '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey", 250e0c4386eSCy Schubert '-section_name', 'fips_sect', '-verify'])), 251e0c4386eSCy Schubert "fipsinstall verify fail incorrect digest"); 252e0c4386eSCy Schubert 253e0c4386eSCy Schubert # corrupt the module hmac 254*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', 255*e7be843bSPierre Pronchery '-module', $infile, 256e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 257e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 258e0c4386eSCy Schubert '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])), 259e0c4386eSCy Schubert "fipsinstall fails when the module integrity is corrupted"); 260e0c4386eSCy Schubert 261e0c4386eSCy Schubert # corrupt the first digest 262*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 263*e7be843bSPierre Pronchery '-module', $infile, 264e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 265e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 266a7148ab3SEnji Cooper '-section_name', 'fips_sect', '-corrupt_desc', 'SHA2'])), 267e0c4386eSCy Schubert "fipsinstall fails when the digest result is corrupted"); 268e0c4386eSCy Schubert 269e0c4386eSCy Schubert # corrupt another digest 270*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 271*e7be843bSPierre Pronchery '-module', $infile, 272e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 273e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 274e0c4386eSCy Schubert '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])), 275e0c4386eSCy Schubert "fipsinstall fails when the digest result is corrupted"); 276e0c4386eSCy Schubert 277e0c4386eSCy Schubert # corrupt cipher encrypt test 278*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 279*e7be843bSPierre Pronchery '-module', $infile, 280e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 281e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 282e0c4386eSCy Schubert '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])), 283e0c4386eSCy Schubert "fipsinstall fails when the AES_GCM result is corrupted"); 284e0c4386eSCy Schubert 285e0c4386eSCy Schubert # corrupt cipher decrypt test 286*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 287*e7be843bSPierre Pronchery '-module', $infile, 288e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 289e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 290e0c4386eSCy Schubert '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])), 291e0c4386eSCy Schubert "fipsinstall fails when the AES_ECB result is corrupted"); 292e0c4386eSCy Schubert 293e0c4386eSCy Schubert # corrupt DRBG 294*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 295*e7be843bSPierre Pronchery '-module', $infile, 296e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 297e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 298e0c4386eSCy Schubert '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])), 299e0c4386eSCy Schubert "fipsinstall fails when the DRBG CTR result is corrupted"); 300*e7be843bSPierre Pronchery} 301e0c4386eSCy Schubert 302e0c4386eSCy Schubert# corrupt a KAS test 303e0c4386eSCy SchubertSKIP: { 304e0c4386eSCy Schubert skip "Skipping KAS DH corruption test because of no dh in this build", 1 305*e7be843bSPierre Pronchery if disabled("dh") || disabled("fips-post"); 306e0c4386eSCy Schubert 307e0c4386eSCy Schubert ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 308e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 309e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 310e0c4386eSCy Schubert '-section_name', 'fips_sect', 311e0c4386eSCy Schubert '-corrupt_desc', 'DH', 312e0c4386eSCy Schubert '-corrupt_type', 'KAT_KA'])), 313e0c4386eSCy Schubert "fipsinstall fails when the kas result is corrupted"); 314e0c4386eSCy Schubert} 315e0c4386eSCy Schubert 316*e7be843bSPierre Pronchery# corrupt a Signature test - 140-3 requires a known answer test 317e0c4386eSCy SchubertSKIP: { 318e0c4386eSCy Schubert skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 319*e7be843bSPierre Pronchery if disabled("dsa") || disabled("fips-post"); 320*e7be843bSPierre Pronchery 321*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), 322*e7be843bSPierre Pronchery capture => 1, statusvar => \my $exit); 323*e7be843bSPierre Pronchery skip "FIPS provider version is too old for KAT DSA signature test", 1 324*e7be843bSPierre Pronchery if !$exit; 325*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 326*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 327*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 328*e7be843bSPierre Pronchery '-section_name', 'fips_sect', '-self_test_oninstall', 329*e7be843bSPierre Pronchery '-corrupt_desc', 'DSA', 330*e7be843bSPierre Pronchery '-corrupt_type', 'KAT_Signature'])), 331*e7be843bSPierre Pronchery "fipsinstall fails when the signature result is corrupted"); 332*e7be843bSPierre Pronchery} 333*e7be843bSPierre Pronchery 334*e7be843bSPierre Pronchery# corrupt a Signature test - 140-2 allows a pairwise consistency test 335*e7be843bSPierre ProncherySKIP: { 336*e7be843bSPierre Pronchery skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 337*e7be843bSPierre Pronchery if disabled("dsa") || disabled("fips-post"); 338e0c4386eSCy Schubert 339e0c4386eSCy Schubert run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), 340e0c4386eSCy Schubert capture => 1, statusvar => \my $exit); 341e0c4386eSCy Schubert skip "FIPS provider version is too new for PCT DSA signature test", 1 342e0c4386eSCy Schubert if !$exit; 343e0c4386eSCy Schubert ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 344e0c4386eSCy Schubert '-provider_name', 'fips', '-mac_name', 'HMAC', 345e0c4386eSCy Schubert '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 346e0c4386eSCy Schubert '-section_name', 'fips_sect', 347e0c4386eSCy Schubert '-corrupt_desc', 'DSA', 348e0c4386eSCy Schubert '-corrupt_type', 'PCT_Signature'])), 349e0c4386eSCy Schubert "fipsinstall fails when the signature result is corrupted"); 350e0c4386eSCy Schubert} 351e0c4386eSCy Schubert 352*e7be843bSPierre Pronchery# corrupt ML-KEM tests 353e0c4386eSCy SchubertSKIP: { 354*e7be843bSPierre Pronchery skip "Skipping ML_KEM corruption tests because of no ML-KEM in this build", 4 355*e7be843bSPierre Pronchery if disabled("ml-kem") || disabled("fips-post"); 356*e7be843bSPierre Pronchery 357*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]), 3580d0c8621SEnji Cooper capture => 1, statusvar => \my $exit); 359*e7be843bSPierre Pronchery skip "FIPS provider version doesn't support ML-KEM", 4 3600d0c8621SEnji Cooper if !$exit; 361*e7be843bSPierre Pronchery 362e0c4386eSCy Schubert ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 363*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 364*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 365*e7be843bSPierre Pronchery '-section_name', 'fips_sect', 366*e7be843bSPierre Pronchery '-corrupt_desc', 'ML-KEM', 367*e7be843bSPierre Pronchery '-corrupt_type', 'KAT_AsymmetricKeyGeneration'])), 368*e7be843bSPierre Pronchery "fipsinstall fails when the ML-KEM key generation result is corrupted"); 369*e7be843bSPierre Pronchery 370*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 371*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 372*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 373*e7be843bSPierre Pronchery '-section_name', 'fips_sect', 374*e7be843bSPierre Pronchery '-corrupt_desc', 'KEM_Encap', 375*e7be843bSPierre Pronchery '-corrupt_type', 'KAT_KEM'])), 376*e7be843bSPierre Pronchery "fipsinstall fails when the ML-KEM encapsulate result is corrupted"); 377*e7be843bSPierre Pronchery 378*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 379*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 380*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 381*e7be843bSPierre Pronchery '-section_name', 'fips_sect', 382*e7be843bSPierre Pronchery '-corrupt_desc', 'KEM_Decap', 383*e7be843bSPierre Pronchery '-corrupt_type', 'KAT_KEM'])), 384*e7be843bSPierre Pronchery "fipsinstall fails when the ML-KEM decapsulate result is corrupted"); 385*e7be843bSPierre Pronchery 386*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 387*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 388*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 389*e7be843bSPierre Pronchery '-section_name', 'fips_sect', 390*e7be843bSPierre Pronchery '-corrupt_desc', 'KEM_Decap_Reject', 391*e7be843bSPierre Pronchery '-corrupt_type', 'KAT_KEM'])), 392*e7be843bSPierre Pronchery "fipsinstall fails when the ML-KEM decapsulate implicit failure result is corrupted"); 393e0c4386eSCy Schubert} 394e0c4386eSCy Schubert 395e0c4386eSCy Schubert# 'local' ensures that this change is only done in this file. 396e0c4386eSCy Schubertlocal $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); 397e0c4386eSCy Schubert 398e0c4386eSCy Schubertok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf') 399e0c4386eSCy Schubert && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])), 400e0c4386eSCy Schubert "verify fips provider loads from a configuration file"); 401e0c4386eSCy Schubert 402e0c4386eSCy Schubertok(replace_parent_line_file('fips_no_module_mac.cnf', 403e0c4386eSCy Schubert 'fips_parent_no_module_mac.cnf') 404e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 405e0c4386eSCy Schubert '-config', 'fips_parent_no_module_mac.cnf'])), 406e0c4386eSCy Schubert "verify load config fail no module mac"); 407e0c4386eSCy Schubert 408a7148ab3SEnji CooperSKIP: { 409*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), 410*e7be843bSPierre Pronchery capture => 1, statusvar => \my $exit); 411*e7be843bSPierre Pronchery skip "FIPS provider version doesn't support self test indicator", 3 412*e7be843bSPierre Pronchery if !$exit; 413a7148ab3SEnji Cooper 414e0c4386eSCy Schubert ok(replace_parent_line_file('fips_no_install_mac.cnf', 415e0c4386eSCy Schubert 'fips_parent_no_install_mac.cnf') 416e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 417e0c4386eSCy Schubert '-config', 'fips_parent_no_install_mac.cnf'])), 418e0c4386eSCy Schubert "verify load config fail no install mac"); 419*e7be843bSPierre Pronchery 420e0c4386eSCy Schubert ok(replace_parent_line_file('fips_bad_indicator.cnf', 421e0c4386eSCy Schubert 'fips_parent_bad_indicator.cnf') 422e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 423e0c4386eSCy Schubert '-config', 'fips_parent_bad_indicator.cnf'])), 424e0c4386eSCy Schubert "verify load config fail bad indicator"); 425*e7be843bSPierre Pronchery 426*e7be843bSPierre Pronchery 427e0c4386eSCy Schubert ok(replace_parent_line_file('fips_bad_install_mac.cnf', 428e0c4386eSCy Schubert 'fips_parent_bad_install_mac.cnf') 429e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 430e0c4386eSCy Schubert '-config', 'fips_parent_bad_install_mac.cnf'])), 431e0c4386eSCy Schubert "verify load config fail bad install mac"); 432a7148ab3SEnji Cooper} 433e0c4386eSCy Schubert 434e0c4386eSCy Schubertok(replace_parent_line_file('fips_bad_module_mac.cnf', 435e0c4386eSCy Schubert 'fips_parent_bad_module_mac.cnf') 436e0c4386eSCy Schubert && !run(app(['openssl', 'fipsinstall', 437e0c4386eSCy Schubert '-config', 'fips_parent_bad_module_mac.cnf'])), 438e0c4386eSCy Schubert "verify load config fail bad module mac"); 439e0c4386eSCy Schubert 440*e7be843bSPierre ProncherySKIP: { 441*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), 442*e7be843bSPierre Pronchery capture => 1, statusvar => \my $exit); 443*e7be843bSPierre Pronchery skip "FIPS provider version doesn't support self test indicator", 3 444*e7be843bSPierre Pronchery if !$exit; 445e0c4386eSCy Schubert 446e0c4386eSCy Schubert my $stconf = "fipsmodule_selftest.cnf"; 447e0c4386eSCy Schubert 448e0c4386eSCy Schubert ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, 449e0c4386eSCy Schubert '-module', $infile, '-self_test_onload'])), 450e0c4386eSCy Schubert "fipsinstall config saved without self test indicator"); 451e0c4386eSCy Schubert 452e0c4386eSCy Schubert ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, 453e0c4386eSCy Schubert '-module', $infile, '-verify'])), 454e0c4386eSCy Schubert "fipsinstall config verify fails without self test indicator"); 455e0c4386eSCy Schubert 456e0c4386eSCy Schubert ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, 457e0c4386eSCy Schubert '-module', $infile, '-self_test_onload', '-verify'])), 458e0c4386eSCy Schubert "fipsinstall config verify passes when self test indicator is not present"); 459*e7be843bSPierre Pronchery} 460*e7be843bSPierre Pronchery 461*e7be843bSPierre ProncherySKIP: { 462*e7be843bSPierre Pronchery run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), 463*e7be843bSPierre Pronchery capture => 1, statusvar => \my $exit); 464*e7be843bSPierre Pronchery skip "FIPS provider version can run self tests on install", 1 465*e7be843bSPierre Pronchery if !$exit; 466*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 467*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 468*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 469*e7be843bSPierre Pronchery '-section_name', 'fips_sect', '-self_test_oninstall', 470*e7be843bSPierre Pronchery '-ems_check'])), 471*e7be843bSPierre Pronchery "fipsinstall fails when attempting to run self tests on install"); 472*e7be843bSPierre Pronchery} 473*e7be843bSPierre Pronchery 474*e7be843bSPierre Proncheryok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1, 475*e7be843bSPierre Pronchery 'fipsinstall defaults to not banning truncated digests with DRBGs'); 476*e7be843bSPierre Pronchery 477*e7be843bSPierre Proncheryok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, 478*e7be843bSPierre Pronchery '-provider_name', 'fips', '-mac_name', 'HMAC', 479*e7be843bSPierre Pronchery '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", 480*e7be843bSPierre Pronchery '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])), 481*e7be843bSPierre Pronchery "fipsinstall knows about allowing truncated digests in DRBGs"); 482*e7be843bSPierre Pronchery 483*e7be843bSPierre Proncheryok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1, 484*e7be843bSPierre Pronchery 'fipsinstall will allow option for truncated digests with DRBGs'); 485*e7be843bSPierre Pronchery 486*e7be843bSPierre Pronchery 487*e7be843bSPierre Proncheryok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf', 488*e7be843bSPierre Pronchery '-module', $infile, '-pedantic'])), 489*e7be843bSPierre Pronchery "fipsinstall accepts -pedantic option"); 490*e7be843bSPierre Pronchery 491*e7be843bSPierre Proncheryforeach my $o (@pedantic_okay) { 492*e7be843bSPierre Pronchery ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf", 493*e7be843bSPierre Pronchery '-module', $infile, '-pedantic', "-${o}"])), 494*e7be843bSPierre Pronchery "fipsinstall accepts -${o} after -pedantic option"); 495*e7be843bSPierre Pronchery} 496*e7be843bSPierre Pronchery 497*e7be843bSPierre Proncheryforeach my $o (@pedantic_fail) { 498*e7be843bSPierre Pronchery ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', 499*e7be843bSPierre Pronchery '-module', $infile, '-pedantic', "-${o}"])), 500*e7be843bSPierre Pronchery "fipsinstall disallows -${o} after -pedantic option"); 501*e7be843bSPierre Pronchery} 502*e7be843bSPierre Pronchery 503*e7be843bSPierre Proncheryforeach my $cp (@commandline) { 504*e7be843bSPierre Pronchery my $o = $commandline[0]; 505*e7be843bSPierre Pronchery my $l = $commandline[1]; 506*e7be843bSPierre Pronchery 507*e7be843bSPierre Pronchery ok(find_line_file("${l} = 1", 'fips-pedantic.cnf') == 1, 508*e7be843bSPierre Pronchery "fipsinstall enables ${l} with -pendantic option"); 509*e7be843bSPierre Pronchery ok(find_line_file("${l} = 0", 'fips.cnf') == 1, 510*e7be843bSPierre Pronchery "fipsinstall disables ${l} without -pendantic option"); 511*e7be843bSPierre Pronchery 512*e7be843bSPierre Pronchery ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf", 513*e7be843bSPierre Pronchery '-module', $infile, "-${o}"])), 514*e7be843bSPierre Pronchery "fipsinstall accepts -${o} option"); 515*e7be843bSPierre Pronchery ok(find_line_file("${l} = 1", "fips-${o}.cnf") == 1, 516*e7be843bSPierre Pronchery "fipsinstall enables ${l} with -${o} option"); 517*e7be843bSPierre Pronchery} 518